AB 242, as amended, Chau. Privacy: Internet.
Existing law requires an operator of a commercial Web site or online service that collects personally identifiable information through the Internet, about individual consumers residing in California who use or visit its commercial Web site or online service, to make its privacy policy available to consumers, as specified.
This bill would require the privacy policy to be no more than 100 words, be written in clear and concise language, be written at no greater than an 8th grade reading level, and to include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared.
end deleteThis bill would eliminate references to “privacy policy,” and instead refer to a privacy policy as a “policy.” The bill would require these policies to include hyperlinks to the Web pages where a consumer may file a complaint, as specified, if an operator collects personal information about an individual consumer.
end insertVote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 22575 of the Business and Professions
2Code is amended to read:
(a) An operator of a commercial Web site or online
4service that collects personally identifiable information through
5the Internet about individual consumers residing in California who
6use or visit its commercial Web site or online service shall
7conspicuously post its privacy policy on its Web site, or in the case
8of an operator of an online service, make that policy available in
9accordance with paragraph (5) of subdivision (b) of Section 22577.
10An operator shall be in violation of this subdivision only if the
11operator fails to post its
policy within 30 days after being notified
12of noncompliance.
13(b) The privacy policy required by subdivision (a) shall do all
14of the following:
15(1) Identify the categories of personally identifiable information
16that the operator collects through the Web site or online service
17about individual consumers who use or visit its commercial Web
18site or online service and the categories of third-party persons or
19entities with whom the operator may share that personally
20identifiable information.
21(2) If the operator maintains a process for an individual
22consumer who uses or visits its commercial Web site or online
23service to review and request changes
to any of his or her
24personally identifiable information that is collected through the
25Web site or online service, provide a description of that process.
26(3) Describe the process by which the operator notifies
27consumers who use or visit its commercial Web site or online
28service of material changes to the operator’s privacy
policy for
29that Web site or online service.
30(4) Identify its effective date.
31(c) The privacy policy required by this section shall be no more
32than 100 words and shall be written in clear and concise language
33at no greater than an eighth grade reading level. The privacy policy
34shall include a statement indicating whether the personally
35identifiable information may be sold or shared with others, and if
36so, how and with whom the information may be shared.
begin insertSection 22575 of the end insertbegin insertBusiness and Professions
38Codeend insertbegin insert is amended to read:end insert
(a) An operator of a commercial Web site or online
2service that collects personally identifiable information through
3the Internet about individual consumers residing in California who
4use or visit its commercial Web site or online service shall
5conspicuously postbegin delete its privacyend deletebegin insert aend insert policy on its Web site, or in the
6case of an operator of an online service, make that policy available
7in accordance with paragraph (5) of subdivision (b) of Section
822577. An operator shall be in violation of this subdivision only
9if the operator fails to post its policy within 30 days after being
10notified of
noncompliance.
11(b) Thebegin delete privacyend delete
policy required by subdivision (a) shall do all
12of the following:
13(1) Identify the categories of personally identifiable information
14that the operator collects through the Web site or online service
15about individual consumers who use or visit its commercial Web
16site or online service and the categories of third-party persons or
17entities with whom the operator may share that personally
18identifiable information.
19(2) If the operator maintains a process for an individual
20consumer who uses or visits its commercial Web site or online
21service to review and request changes to any of his or her
22personally identifiable information that is collected through the
23Web site or online service, provide a description of that process.
24(3) Describe the process by which the operator notifies
25consumers who use or visit
its commercial Web site or online
26service of material changes to the operator’sbegin delete privacyend delete
policy for
27that Web site or online service.
28(4) Identify its effective date.
29(5) Disclose how the operator responds to Web browser “do not
30track” signals or other mechanisms that provide consumers the
31ability to exercise choice regarding the collection of personally
32identifiable information about an individual consumer’s online
33activities over time and across third-party Web sites or online
34services, if the operator engages in that collection.
35(6) Disclose whether other parties may collect personally
36identifiable information about an individual consumer’s online
37activities over time and across different Web sites when a consumer
38uses the operator’s Web site or service.
39(7) An operator may satisfy the requirement of paragraph (5)
40by
providing a clear and conspicuous hyperlink in the operator’s
P4 1privacy policy to an online location containing a description,
2including the effects, of any program or protocol the operator
3follows that offers the consumer that choice.
4(8) If an operator collects personal information about an
5individual consumer, include hyperlinks to the Web pages where
6the consumer may file a complaint with the Attorney General and
7the Federal Trade Commission.
begin insertSection 22576 of the end insertbegin insertBusiness and Professions Codeend insert
9begin insert is amended to read:end insert
An operator of a commercial Web site or online service
11that collects personally identifiable information through the Web
12site or online service from individual consumers who use or visit
13the commercial Web site or online service and who reside in
14California shall be in violation of this section if the operator fails
15to comply with the provisions of Section 22575 or with the
16provisions of its postedbegin delete privacyend delete policy in either of the following
17ways:
18(a) Knowingly and willfully.
19(b) Negligently and materially.
begin insertSection 22577 of the end insertbegin insertBusiness and Professions Codeend insert
21begin insert is amended to read:end insert
For the purposes of this chapter, the following
23definitions apply:
24(a) The term “personally identifiable information” means
25individually identifiable information about an individual consumer
26collected online by the operator from that individual and
27maintained by the operator in an accessible form, including any
28of the following:
29(1) A first and last name.
30(2) A home or other physical address, including street name and
31name of a city or town.
32(3) An e-mail address.
33(4) A telephone number.
34(5) A social security number.
35(6) Any other identifier that permits the physical or online
36contacting of a specific individual.
37(7) Information concerning a user that the Web site or online
38service collects online from the user and maintains in personally
39identifiable form in combination with an identifier described in
40this subdivision.
P5 1(b) The term “conspicuously post” with respect to abegin delete privacyend delete
2 policy shall include posting thebegin delete privacyend delete policy through any of the
3following:
4(1) A Web page on which the actualbegin delete privacyend delete
policy is posted if
5the Web page is the homepage or first significant page after
6entering the Web site.
7(2) An icon that hyperlinks to a Web page on which the actual
8begin delete privacyend delete policy is posted, if the icon is located on the homepage or
9the first significant page after entering the Web site, and if the icon
10contains thebegin delete word “privacy.”end deletebegin insert words “using your information.”end insert
11 The icon shall also use a color that contrasts with the background
12color of the Web page or is otherwise distinguishable.
13(3) A text link that hyperlinks to a Web page on which the actual
14begin delete privacyend delete
policy is posted, if the text link is located on the homepage
15or first significant page after entering the Web site, and if the text
16link does one of the following:
17(A) Includes thebegin delete word “privacy.”end deletebegin insert words “using your
18information.”end insert
19(B) Is written in capital letters equal to or greater in size than
20the surrounding text.
21(C) Is written in larger type than the surrounding text, or in
22contrasting type, font, or color to the surrounding text of the same
23size, or set off from the surrounding text of the same size by
24symbols or other marks that call attention to the language.
25(4) Any other functional hyperlink that is so displayed that a
26reasonable person would notice it.
27(5) In the case of an online service, any other reasonably
28accessible means of making thebegin delete privacyend delete
policy available for
29consumers of the online service.
30(c) The term “operator” means any person or entity that owns
31a Web site located on the Internet or an online service that collects
32and maintains personally identifiable information from a consumer
33residing in California who uses or visits the Web site or online
34service if the Web site or online service is operated for commercial
35purposes. It does not include any third party that operates, hosts,
36or manages, but does not own, a Web site or online service on the
37owner’s behalf or by processing information on behalf of the
38owner.
P6 1(d) The term “consumer” means any individual who seeks or
2acquires, by purchase or lease, any goods, services, money, or
3credit for personal, family, or household purposes.
begin insertSection 22578 of the end insertbegin insertBusiness and Professions Codeend insert
5begin insert is amended to read:end insert
It is the intent of the Legislature that this chapter is a
7matter of statewide concern. This chapter supersedes and preempts
8all rules, regulations, codes, ordinances, and other laws adopted
9by a city, county, city and county, municipality, or local agency
10regarding the posting of abegin delete privacyend delete policy on an Internet Web site.
O
98